Popular File Managing App for Android Can Also Leak Your Data

A security researcher says he's uncovered a flaw in the ES File Explorer app, which can let someone on the same Wi-Fi network as your phone steal files from the device.

A popular file manager app for Android appears to have a serious design flaw that can let a nearby hacker on the same Wi-Fi network download files from your phone.

The app, called ES File Explorer, has at least over 100 million downloads worldwide. It works by gaining access to your phone's storage so you can view, manage, and share the files onboard.

But the app has a big problem: Once you activate it, your phone also becomes an open web server, according to the security researcher Robert Baptiste, who also goes by the moniker "Elliot Alderson." He's been investigating the product and noticed the server functionality, which can be rigged to manipulate the app.

"If you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone," he said on Wednesday in a tweet about the vulnerability.

With more than 100,000,000 downloads ES File Explorer is one of the most famous #Android file manager.The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone https://t.co/Uv2ttQpUcN

Baptiste has uploaded a proof-of-concept demonstrating how the hack can work. Through a piece of Javascript code he wrote, you can exploit the exposed web server functionality to pull files from the target phone, grab a list of everything that has been downloaded or installed, and even remotely launch other apps over the handset.

Of course, the hack only works if you're on the same Wi-Fi network as the target device. So the chance of someone becoming a victim to the flaw remains low. Nevertheless, the design choice to include the hidden server functionality is still disturbing.

"Worth to say, I'm convinced this 'feature' has been implemented by design," Baptiste said over Twitter. "Imagine a scenario: I'm Chinese, I have ES File Explorer installed on my phone. I'm on the subway and I used to connect to the public Wi-Fi. 'The authorities' can use this 'feature' against me."

The company behind the app, ES Global, didn't immediately respond to a request for comment. But the app does contain a special remote file managing feature. It's specifically designed to let you access files from your phone over a nearby PC on the same Wi-Fi network. However, the remote file managing feature should only activate when you toggle it on, not by default.